Zscaler ThreatLabZ recently discovered a new DoS family bot named Sieren. A denial-of-service (DoS) attack is a cyber-attack in which cybercriminals disrupt the service of a host connected to the internet, either temporarily or indefinitely, to its intended users. In this analysis, we’ll describe Sieren’s functionality and communication, its 10 DoS methods, its bot commands, and its IoCs.
Sieren is capable of performing HTTP, HTTPS, and UDP flooding on any web server location as instructed by the command-and-control (C&C) server.
Sieren starts communication with the server by sending system information.
Data is separated by the “&” symbol.
Processor architecture (If 32 bit then 0 else 1)
MD5 of the above data
In response, the C&C server sends a target URL for performing a DoS attack. Data is separated by the “&” symbol.
60: used for sleep (60 * 1000 millisecond)
ID = 260
Method = 2
Target = https://deti-online.com/
Type = GET
Threads = 100
Sleep = 100
Port = 0
Sockets = 0 (number of sockets)
Size = 0 (size of data sent through packet during DDos)
CreatedAT = Timestamp
Data = Empty (data sent through packet during DDoS)
The malware is capable of performing a DoS attack against the target URL using different methods. The variant we analyzed has 10 methods supported for flooding, and it chooses the method based on data received from the C&C server.
In the above instance, we saw that a Russian education material website (https://deti-online[.]com) was the intended target for this bot. We also identified other locations, such as forum.exlpoit[.]in and x3p0[.]xyz, as the DoS targets from the C&C server during our analysis.
The Sieren bot selects the DoS method based on data received from the C&C server. Below are the parameters used in these methods:
No of threads
No. of Sockets
Size of data
The C&C server can specify the port, data, sleep time, sockets, and size of packets that will be used during flooding.
During flooding, a user agent is selected randomly from a predefined list, as shown below.
DoS methods supported by Sieren
In this method, the malware first gets the cookies for the target URL using InternetGetCookieEx and uses them in the HTTP header when generating flood requests. Based on the protocol (HTTP/HTTPS) and method (POST/GET), it starts sending multiple requests to the target URL.
The below screenshot contains code for generating the header part.
The below screenshot contains the HTTP flooding code:
The below screenshot contains the HTTPS flooding code:
The malware creates 50 sockets and sends 50 HTTP requests before executing a sleep command with the value supplied by the C&C server. It will repeat this process until taskID is active.
This method is similar to method 2, but the bot won’t sleep after every 50 requests.
In this method, the bot will use data supplied by the C&C server in the flood requests to the target URL.
In this method, the bot will also accept a response during the flooding of the target URL, after which it will sleep for 100 seconds. Then it again starts sending flood requests to the target URL.
This method is called when the number of sockets and port is specified by the C&C server. In this method, the bot will not send HTTP or HTTPS flood requests; instead, it opens multiple sockets for the target URL in an attempt to exhaust web server-side resources. It repeatedly closes and opens additional sockets to the target URL until taskID remains active.
This method is identical to Method 6 and appears to be a placeholder for a future update.
In this method, the bot will receive arguments such as the size of random data, number of sockets, and port information from the C&C server. The bot will generate random data based on specified size, open multiple sockets, and flood the target URL with the randomly generated data.
In this method, the C&C server will supply the size of random data and port information. The bot will generate random data and flood the target URL on the specified port.
This method is used for UDP-based flooding. The bot will send random data using the UDP protocol, and it sets the TTL (time to live) value between 220 and 225 for these packets.
The bot will stop performing flood requests once the C&C server stops sending additional commands.
Sieren bot commands:
Other than the DoS feature-related methods, the malware has three additional commands.
“dlexec”: Download payload from the URL given by the C&C server and execute it.
“update”: Download the updated version and execute it. It also deletes itself using the cmd process.
“Uninstall”: Deletes itself using the cmd process.
Indicators of Compromise:
*** This is a Security Bloggers Network syndicated blog from Research Blog authored by RDodia@zscaler.com. Read the original post at: http://www.zscaler.com/blogs/research/sieren-new-dos-bot